CN116260625A - Unified authentication method for users under multi-node condition of self-organizing network environment - Google Patents

Unified authentication method for users under multi-node condition of self-organizing network environment Download PDF

Info

Publication number
CN116260625A
CN116260625A CN202211727978.9A CN202211727978A CN116260625A CN 116260625 A CN116260625 A CN 116260625A CN 202211727978 A CN202211727978 A CN 202211727978A CN 116260625 A CN116260625 A CN 116260625A
Authority
CN
China
Prior art keywords
node
authentication
user
content
license
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211727978.9A
Other languages
Chinese (zh)
Inventor
朱先忠
王卓君
王文鹏
吴光硕
辛慧洋
常文超
黄德军
师文轩
楚义芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nankai University
Original Assignee
Nankai University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nankai University filed Critical Nankai University
Priority to CN202211727978.9A priority Critical patent/CN116260625A/en
Publication of CN116260625A publication Critical patent/CN116260625A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The invention discloses a unified authentication method of users under the condition of multiple nodes in an ad hoc network environment, which is based on triple authentication of license authentication nodes in a content chain when users register, reading equipment join and registration nodes join the content chain; comprising the following steps: user authentication of user registration in content chain: device authentication when reading device joins content chain: node identity authentication when a node joins the content chain. The invention realizes that node authentication, equipment authentication and user authentication triple authentication are needed through the authentication permission node when the content itself is acquired, ensures the safety of the content chain and the safety of the content chain data, and ensures that other nodes in the content chain place the center of gravity on specific business, thereby relieving the safety verification pressure of other nodes in the content chain.

Description

Unified authentication method for users under multi-node condition of self-organizing network environment
Technical Field
The invention relates to the technical field of distributed self-organizing networks, in particular to a unified authentication method for users under the environment of the self-organizing network under the multi-node condition.
Background
An ad hoc network is a network combining mobile communication and computer networks, and is a type of mobile computer network. All nodes in an ad hoc network are equally located and are a peer-to-peer network. The nodes can be added and separated from the network at any time, and the faults of any node can not influence the operation of the whole network, so that the node has strong destructiveness.
Node authentication in an ad hoc network mainly appears as follows: the authentication of the new node and the adjacent node needs to be subjected to three authentication handshake processes, namely, the new node acquires authentication from an authentication server, the new node authenticates the adjacent node, and the adjacent node authenticates the new node. The authentication method in the prior art needs each node to have an authentication function.
The main mode of user authentication today is 2FA (Two Factor Authentication), which is called double factor authentication in Chinese, namely authentication needs to use two factors (information you know: password and information you own: verification code) together to be used as user identity authentication, and information you own is a credential type used for verifying whether someone or something is the identity or identity they claim. The dual authentication reduces the likelihood of an intruder masquerading as an authorized user.
A very widely used user authorization mechanism at present is oauth2.0, which is used to authorize a third party application to acquire user data, and oauth2.0 defines four authorization modes, respectively: authorization code mode, reduced mode, password mode, client mode. The authorization code mode is the authorization mode with the most complete function and the most strict flow. The method is characterized in that the background server of the client interacts with the authentication server of the service provider, so that information leakage caused by interaction between the user browser and the authentication server is avoided, the authentication authorization process is that the resource owner directly performs identity authentication through the authentication server, and the possibility of sharing the identity certificate of the resource owner with the client is avoided. The other modes are all simplified modes of this mode.
In order to start from the technical point of view of the bottom layer, the applicant independently develops a blockchain open source architecture which accords with the application scene of content publishing and develops a content chain. The content chain is an ad hoc network oriented to content distribution that takes advantage of the distributed autonomous network. It is therefore necessary to design a secure, uniform authentication mechanism in a distributed network environment, taking advantage of the present authentication mechanism and based on the characteristics of the content chain itself.
Disclosure of Invention
The invention aims at providing a unified authentication method for users under the environment of a self-organizing network under the condition of multiple nodes aiming at the technical defects in the prior art.
The technical scheme adopted for realizing the purpose of the invention is as follows:
a unified authentication method for users under multi-node condition of self-organizing network environment is based on triple authentication of permission authentication nodes in a content chain when users register, reading equipment join and registration nodes join the content chain, so that the users need to pass node authentication, equipment authentication and user authentication when obtaining content data in the content chain, and the safety of content chain operation and data transmission are realized; comprising the following steps:
user authentication of user registration in content chain: after the verification of the identity information submitted by the registered user is passed, the license authentication node returns a unique user id, and simultaneously generates a user identity public and private key for the registered user, and the license authentication node is used for automatically authenticating in an encryption and decryption mode of the user identity public and private key in the processes of carrying out identity authentication, uploading and obtaining a content object;
device authentication when reading device joins content chain: to join the reading device in the content chain, submit app program to the permission authentication node, then test, trust the reading device after the permission authentication node passes the verification, the permission authentication node distributes the public and private keys of the device to the reading device to be joined, the public and private keys of the device are used for authenticating the device, the transmission data is encrypted by the public key of the device, and the private key is decrypted after the reading device obtains the transmission data;
node authentication when a node joins the content chain: after the registration information of the node is filled out, the node is submitted to the root node, and after the root node receives the registration application, a symmetric key is randomly generated to serve as a password and returned to the registration node in a mail form; after the root node passes the verification, all information and the randomly generated password are sent to the permission authentication node together; generating a public and private key for the registration node after receiving the information by the license authentication node, registering the type of the node to an information list of the license authentication node, encrypting the public and private key of the node and the registration information of the node into an encryption packet by using a password transmitted by a root node, and transmitting the encryption packet to the registration node in a mail form; the node registration information is used for confirming the current node information, and the node public-private key is used for signing and checking signature when the content links are in consensus.
The license authentication node acts as a trusted CA organization, issues the CA certificate required in HTTPS transmission for the node requiring the CA certificate in the content chain, and the node requiring the CA certificate adds the CA certificate of the license authentication node into the trusted CA certificate of the node itself to trust all the CA certificates issued by the license authentication node.
The license authentication nodes comprise a main license authentication node and an auxiliary license authentication node; the auxiliary license authentication node performs full backup on the content of the main license authentication node; and when the primary permission authentication node fails, switching the secondary permission authentication node to a working state.
The method comprises the steps that through heartbeat detection among a root node, a master license authentication node and a slave license authentication node, the master license authentication node and the slave license authentication node are in a normal state: when the heartbeat of the master permission authentication node is not detected, the auxiliary permission authentication node is switched to a working state; after the primary license authentication node is restored, carrying out full-quantity backup from the secondary license authentication node and operating with the identity of the secondary license authentication node; when the heartbeat of the auxiliary license authentication node is not detected, the auxiliary license authentication node is repaired, and after the auxiliary license authentication node is recovered to be normal, full-scale backup is carried out from the main license authentication node.
When the auxiliary license authentication node is started, synchronizing data from the main license authentication node in a full-scale backup mode, and carrying out real-time incremental backup on the auxiliary license authentication node in order to enable the auxiliary license authentication node to be consistent with the data in the main license authentication node in the operation process; and when the primary license authentication node has data update, sending a synchronous message to the secondary license authentication node.
When the authenticated reading device is used for reading, the content chain sends an encrypted content object and a content license, wherein the content license is used for decrypting the content object, and the content license is doubly encrypted through a device public key and a user public key; the reading device which is authenticated by the authorized authentication node can decrypt reading by using the device private key and the user private key.
And when the user is authenticated and registered, the content chain is in butt joint with the release system, and the automatic association of the user account number of the user in the release system and the user account number in the content chain is realized through a user association mechanism.
The method comprises the following steps of automatically associating a user account in a release system with a user account in a content chain through a user association mechanism:
the information of login and registration is stored in two parts, one part is stored in the release system, one part is stored in the content chain, and a mailbox is used as a unique identifier; when a new user is registered, firstly checking whether the user information exists in a release system, if not, sending a request to a permission authentication node, checking the user information, and if not, registering the user information at the permission authentication node and a local release end simultaneously; if the user information is in the permission authentication node, registering and associating the user on the content chain with the publishing system; at login, the distribution system and the content chain are queried, and when the distribution system does not have the user, the user is sometimes directly logged in and then implicitly registered and associated with the distribution system.
The existence of the permission authentication node in the content chain reduces the security requirement of other nodes, and other nodes in the network do not store the content data and only store the encrypted copy, so that the stored content is ensured not to be lost after the node is attacked; when the content in the content chain is acquired, triple authentication of node authentication, equipment authentication and user authentication is needed, and the design mode can enable other nodes to place the center of gravity on specific services, so that the pressure of other nodes is relieved. When the content chain is accessed externally, other nodes are connected first, and then the other nodes access the license authentication node, so that the possibility of the license authentication node being attacked is further reduced.
Drawings
Fig. 1 is a schematic diagram of unified authentication of a user under a multi-node condition in an ad hoc network environment according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a user account association procedure at the time of user registration according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a node authentication process according to an embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and the specific examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
In the embodiment of the invention, the self-organizing network is a content chain taking a blockchain as an open source architecture, is a self-organizing network which absorbs the advantages of a distributed autonomous network and faces to content distribution, is a network combining mobile communication and a computer network, is a mobile computer network, and in the self-organizing network of the content chain, comprises a plurality of nodes, and the positions of all the nodes are equal, thus being a peer-to-peer network. Each node can join and leave the self-organizing network at any time, and the faults of any node can not influence the operation of the whole network, so that the self-organizing network has strong survivability. The content chain includes a license authentication node and other nodes, such as a content node for storing content object data, to which the transaction records are synchronized, the license authentication node verifying whether the user has content license rights based on the transaction records.
In the embodiment of the invention, the nodes represent a plurality of unit structures which are mutually communicated and connected to form a digital content chain network, and the unit structures which form the content chain are mutually communicated to form a network structure, and are different from the meanings of the nodes which are sequentially arranged in the traditional blockchain.
In the embodiment of the invention, the unified authentication of the user under the multi-node condition of the self-organizing network environment is shown in fig. 1, the authentication process is realized through the approval authentication node in the content chain self-organizing network, and triple authentication is performed through the approval authentication node when the user is registered, reading equipment is added and the registration node is added into the content chain, so that the operation safety of the content chain and the safety of data transmission are realized. The permission authentication node provides authentication function for the self-organizing network and ensures the security of the content data. The existence of the permission authentication node reduces the security requirement of other nodes, and other nodes in the network do not store content data per se and only store encrypted copies, so that the stored content is ensured not to be lost after the node is attacked; when the content per se is acquired, triple authentication of node authentication, equipment authentication and user authentication is needed, and the design mode enables other nodes to place the center of gravity on specific services, so that the pressure of other nodes is relieved. When the content chain is accessed externally, other nodes are connected first, and then the other nodes access the license authentication node, so that the possibility of the license authentication node being attacked is further reduced.
In the embodiment of the invention, the license authentication node distributes keys of the following types:
user identity public-private key: the public and private keys of the user identity are asymmetric keys, and the public key in the public and private keys of the user identity is called a user public key, and the private key in the public and private keys of the user identity is called a user private key. The method is used for authenticating the identity of the reader when the user reads, authorizing the reader, using the public key of the user to encrypt the content encryption key, and if the reader has the right to use certain content object data, decrypting the content encryption key by using the private key of the user, and decrypting and reading the content object data.
Node public-private key: the public and private keys of the nodes are asymmetric keys, and are composed of public and private key pairs of other nodes in the content chain, wherein the public key in the public and private keys of the nodes is called the public key of the nodes, and the private key in the public and private keys of the nodes is called the private key of the nodes. The public and private keys of the nodes are used for identity authentication of the content link nodes in the consensus process, and the public and private keys comprise the steps that the nodes sign and verify transactions, so that the nodes added into the content link are ensured to be safe and reliable.
Device public-private key: the public and private keys of the device are asymmetric keys, and the public key in the public and private keys of the device is called the public key of the device, and the private key in the public and private keys of the device is called the private key of the device. The public and private keys of the equipment are used for authenticating and authorizing the equipment used for reading the copyrighted content by the user, the authorized equipment can read the copyrighted content, unauthorized equipment is prevented from maliciously acquiring the copyrighted content, and the security of the copyrighted content is protected. When a reader reads by using the reading device, the device passing through the authentication is authenticated by the licensed authentication node, and the content encryption key can be decrypted by using the device private key.
The embodiment of the invention provides a user authentication mode, a license authentication node distributes a user identity public and private key for a content chain registered user, is used for solving the user identity authentication problem among all functional modules of a content chain, realizes user identity authentication in a decryption or signature verification mode, and provides a user association mechanism of the content chain user and other release system users.
When a user registers in a content chain, necessary information capable of proving identity is required to be provided according to prompt, the information is sent to a permission authentication node, after the permission authentication node checks and passes the identity information submitted by the registered user, the unique user id is returned, and meanwhile, the permission authentication node generates a user identity public and private key for the registered user and is used for carrying out identity authentication on each functional module of the content chain, and the user identity public and private key encryption and decryption modes are automatically authenticated in the processes of uploading and obtaining a content object.
In addition, the content chain may interface with the distribution system. At this time, the automatic association between the user account number of a certain user in the release system and the user account number in the content chain can be realized through a user association mechanism. The specific flow is shown in figure 2. Referring to fig. 2, the information of the login and registration function is stored in two parts, one part is stored in the release system, one part is stored in the content chain and the unique identification is made by using the mailbox, and the specific function flow is as follows: when a new user is registered, firstly checking whether the user information exists in a release system, if not, sending a request to a permission authentication node, checking the user information, and if not, registering the user information at the permission authentication node and a local release end simultaneously; if the user information is in the permission authentication node, registering and associating the user on the content chain with the publishing system; also, the publishing system and content chain are queried at login, and when the publishing system does not have the user, the content chain is sometimes directly logged in and then implicitly registered and associated with the publishing system.
The embodiment of the invention provides a device authentication mode, which distributes a device public and private key for a device trusted by a content chain, all transmission data are encrypted by the device public key, and the private key is decrypted after the device obtains the content, so that illegal devices are prevented from maliciously obtaining the content; in the content chain, different types of reading devices are allowed to join and read. In order to prevent illegal devices from maliciously acquiring content, for a new type of device to join a device in a content chain, an app program needs to be submitted to a license authentication node, then a test is performed, the device is trusted after passing manual verification, and the license authentication node distributes a device public and private key to the device to be joined.
The device public and private keys are used for authenticating the device, when a reader reads the device, the content chain sends an encrypted content object and a content license, the content license is used for decrypting the content object, the content license is also encrypted through the device public key and the user public key, and only the reading device authenticated by the license authentication node can use the device private key and the user private key to decrypt and read.
The user private key is not directly usable by the reading device, and the use flow is as follows:
step 11, after the user logs in the device, the user basic information can be checked, and when the user obtains the content object, the (reading) device firstly checks whether the user key is encrypted or not. If not, obtaining the encrypted user private key (the encrypted password is the user content chain password) from the CA mechanism (the approval authentication node); if so, no acquisition is performed.
And step 12, after the user requests the content object, the user agrees to the device to decrypt and read by using the private key for the first time, the user needs to input a content chain password of the user, the identity of the user is verified, the password is input on a page provided by the CA mechanism, the private key of the user is decrypted after the password is successful, and the content license is decrypted by using the private key of the user.
Step 13, the user selects whether to trust the equipment, if the equipment is trusted, the equipment does not need to input a password later, otherwise, the password is needed to be input every time.
The embodiment of the invention provides a node authentication mode, which ensures the credibility of nodes added into a content chain; when a new node wants to join the content chain, identity authentication needs to be carried out on the node, so that the node joining the content chain is not a malicious node, and safe and stable operation of the content chain is ensured. The flow of (registration) nodes joining the content chain is shown in fig. 3:
step 21, the user downloads a content chain installation program: when a new node is to be added to the content chain, the code is downloaded first, and then the content chain is installed.
Step 22, installing a content chain: in the process of installing codes, configurable scripts are automatically generated, wherein the configurable scripts comprise basic configuration information:
license agreement: the user may continue with the installation after accepting or agreeing to the licensing agreement.
The installation path is as follows: the user sets up the directory of installed codes at his own discretion.
User password: the password of the login manager configuration interface is set by the user.
Taking ccnoder as a user name, and writing a password input by a user into a configuration file as a user password so as to perform identity verification when a subsequent user logs in an administrator configuration interface; the user password is stored encrypted by sha 256.
Step 23, starting the program
After the code is installed successfully, the user starts, at this time, an administrator configuration interface is started, and the user can apply for registration of the node on the interface.
Step 24, login
The user logs in by using the user name and the password generated in the installation process, and enters an administrator configuration interface after the identity authentication is passed.
Step 25, node registration
After entering the administrator configuration interface, corresponding information is filled in according to the prompt, and if related information is originally available, the corresponding information is directly filled in. If not, apply for. The application flow is as follows:
step 251, filling basic information according to the requirement, including organization name, organization abbreviation, organization code, address, contact person telephone, mail, etc., after filling, submitting the information.
Step 252, the information is submitted to the root node, after the root node receives the registration application, the root node randomly generates a symmetric key as a password, and the symmetric key is returned to the registration node in the form of a mail, wherein the mail comprises the following contents: the information is submitted to the root node for verification, waiting is carried out, the information is notified in the form of a mail after the verification is passed, and the encrypted package (the public and private keys of the node and the encrypted form of the registered information related to the node) can be checked by using the password contained in the mail after the notification is received.
Step 252, the root node performs manual verification, and after the verification is passed, all information and the password randomly generated in the previous step are sent to the permission authentication node together.
Step 253, after receiving the information, the license authentication node generates a public and private key for the node, registers the type of the node to an information list of the license authentication node, encrypts the public and private key of the node and the registration information related to the node into an encrypted packet by using a password transmitted by a root node, and transmits the encrypted packet to the registration node in a mail form, wherein the registration information related to the node is used for confirming the current node information, and the public and private key of the node is used for signing and checking signature when the content links are identified.
Further, the embodiment of the invention provides a certificate issuing mechanism of HTTPS, which ensures the security of data in the transmission process; in a content chain system, secure transmission using HTTPS is required. In conventional solutions, a self-visa needs to be generated, after which the self-visa is used in an http server. Since the browser does not trust the self-visa, in order to solve the problem of browser trust, the CA certificate used by the self-visa needs to be added to the trusted CA certificate of the system or browser, thereby avoiding the problem. Thus, in the content chain, the license authentication node acts as a trusted CA authority to issue the CA certificates required in HTTPS transmissions to other nodes that require the CA certificates. Other nodes requiring a CA certificate add the CA certificate of the license authentication node to their own trusted CA certificate, thereby trusting all CA certificates issued by the license authentication node.
In order to ensure that the normal operation of a content chain is not influenced when the license authentication node fails, a backup mechanism of a main license authentication node and a secondary license authentication node is provided, so that network paralysis caused by node failure can be prevented, and the survivability of the license authentication node is ensured. The auxiliary license authentication node performs full backup on the content of the main license authentication node, and the functions of the auxiliary license authentication node are the same except that the working states of the auxiliary license authentication node and the main license authentication node are different in the content chain network.
The backup mode comprises full backup and incremental backup, wherein the full backup refers to the backup of all data in the main permission authentication node; the incremental backup refers to backing up the modified data based on the previous backup of the data.
Specifically, the backup flow of the primary license authentication node and the secondary license authentication node is as follows:
when the auxiliary node is started, the data is synchronized from the main node in a full-volume backup mode, and then, in order to ensure that the auxiliary node is consistent with the data in the main node to the greatest extent, the auxiliary node needs to perform real-time incremental backup. In the operation process, when the main node has data update, the synchronous message is sent to the auxiliary node.
Specifically, the switching process of the primary permission authentication node and the secondary permission authentication node is as follows:
when the primary permission authentication node fails, the secondary permission authentication node is switched to a working state in time, so that whether the primary permission authentication node and the secondary permission authentication node are in a normal state is monitored at any time. And ensuring that the primary license authentication node and the secondary license authentication node are in a normal state through heartbeat detection between a root node in the content chain and the primary license authentication node and the secondary license authentication node. When the heartbeat of the master license authentication node is not detected, the slave license authentication node is switched to a working state, and after the master license authentication node is recovered, full-scale backup is performed from the slave license authentication node, and then the slave license authentication node operates according to the identity of the slave license authentication node. When the heartbeat of the auxiliary license authentication node is not detected, the auxiliary license authentication node is repaired in time, and after the auxiliary license authentication node is recovered to be normal, the full-quantity backup is carried out from the main license authentication node.
In the embodiment of the application, the root node is the node with the highest management authority in the content chain, so that the control of backup switching of the primary license authentication node and the secondary license authentication node, verification of the joining node in the content chain, generation of related keys and the like can be realized.
While the fundamental and principal features of the invention and advantages of the invention have been shown and described, it will be apparent to those skilled in the art that the invention is not limited to the details of the foregoing exemplary embodiments, but may be embodied in other specific forms without departing from the spirit or essential characteristics thereof;
the present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Furthermore, it should be understood that although the present disclosure describes embodiments, not every embodiment is provided with a separate embodiment, and that this description is provided for clarity only, and that the disclosure is not limited to the embodiments described in detail below, and that the embodiments described in the examples may be combined as appropriate to form other embodiments that will be apparent to those skilled in the art.

Claims (8)

1. The unified authentication method for the user under the multi-node condition of the self-organizing network environment is characterized in that triple authentication is carried out on the basis of permission authentication nodes in a content chain when the user registers, reading equipment is added and registration nodes are added into the content chain, so that the user needs to pass node authentication, equipment authentication and user authentication when obtaining content data in the content chain, and the safety of the operation of the content chain and the safety of data transmission are realized; comprising the following steps:
user authentication of user registration in content chain: after the verification of the identity information submitted by the registered user is passed, the license authentication node returns a unique user id, and simultaneously generates a user identity public and private key for the registered user, and the license authentication node is used for automatically authenticating in an encryption and decryption mode of the user identity public and private key in the processes of carrying out identity authentication, uploading and obtaining a content object;
device authentication when reading device joins content chain: to join the reading device in the content chain, submit app program to the permission authentication node, then test, trust the reading device after the permission authentication node passes the verification, the permission authentication node distributes the public and private keys of the device to the reading device to be joined, the public and private keys of the device are used for authenticating the device, the transmission data is encrypted by the public key of the device, and the private key is decrypted after the reading device obtains the transmission data;
node authentication when a node joins the content chain: after the registration information of the node is filled out, the node is submitted to the root node, and after the root node receives the registration application, a symmetric key is randomly generated to serve as a password and returned to the registration node in a mail form; after the root node passes the verification, all information and the randomly generated password are sent to the permission authentication node together; generating a public and private key for the registration node after receiving the information by the license authentication node, registering the type of the node to an information list of the license authentication node, encrypting the public and private key of the node and the registration information of the node into an encryption packet by using a password transmitted by a root node, and transmitting the encryption packet to the registration node in a mail form; the node registration information is used for confirming the current node information, and the node public-private key is used for signing and checking signature when the content links are in consensus.
2. The unified authentication method of users under multi-node conditions in an ad hoc network environment according to claim 1, wherein the license authentication node acts as a trusted CA authority, issues CA certificates required in HTTPS transmission to nodes requiring CA certificates in the content chain, and the nodes requiring CA certificates add the CA certificates of the license authentication node to their own trusted CA certificates, trusting all CA certificates issued by the license authentication node.
3. The unified authentication method of users under multi-node condition of self-organizing network environment according to claim 1, wherein the license authentication nodes comprise a master license authentication node and a slave license authentication node; the auxiliary license authentication node performs full backup on the content of the main license authentication node; and when the primary permission authentication node fails, switching the secondary permission authentication node to a working state.
4. The unified authentication method of users under the multi-node condition of the self-organizing network environment according to claim 1, wherein the primary license authentication node and the secondary license authentication node are in a normal state by heartbeat detection among the root node, the primary license authentication node and the secondary license authentication node: when the heartbeat of the master permission authentication node is not detected, the auxiliary permission authentication node is switched to a working state; after the primary license authentication node is restored, carrying out full-quantity backup from the secondary license authentication node and operating with the identity of the secondary license authentication node; when the heartbeat of the auxiliary license authentication node is not detected, the auxiliary license authentication node is repaired, and after the auxiliary license authentication node is recovered to be normal, full-scale backup is carried out from the main license authentication node.
5. The unified authentication method of users under multi-node condition of self-organizing network environment according to claim 4, wherein when the auxiliary license authentication node is started, the data is synchronized from the main license authentication node in a full-volume backup mode, and in the running process, in order to make the auxiliary license authentication node consistent with the data in the main license authentication node, the auxiliary license authentication node performs real-time incremental backup; and when the primary license authentication node has data update, sending a synchronous message to the secondary license authentication node.
6. The unified authentication method of a user under multiple nodes in an ad hoc network environment according to claim 1, wherein the content chain transmits an encrypted content object and a content license when reading using an authenticated reading device, wherein the content license is used for decrypting the content object, and the content license is doubly encrypted by a device public key and a user public key; the reading device which is authenticated by the authorized authentication node can decrypt reading by using the device private key and the user private key.
7. The unified authentication method of users under the environment of multiple nodes of the self-organizing network according to claim 1, wherein the content chain is in butt joint with the issuing system when the users are authenticated and registered, and the automatic association of the user account in the issuing system and the user account in the content chain is realized through a user association mechanism.
8. The unified authentication method of users under the environment of multi-nodes of self-organizing network according to claim 7, wherein the step of realizing the automatic association of user account numbers in the distribution system and user account numbers in the content chain by a user association mechanism is as follows:
the information of login and registration is stored in two parts, one part is stored in the release system, one part is stored in the content chain, and a mailbox is used as a unique identifier; when a new user is registered, firstly checking whether the user information exists in a release system, if not, sending a request to a permission authentication node, checking the user information, and if not, registering the user information at the permission authentication node and a local release end simultaneously; if the user information is in the permission authentication node, registering and associating the user on the content chain with the publishing system; at login, the distribution system and the content chain are queried, and when the distribution system does not have the user, the user is sometimes directly logged in and then implicitly registered and associated with the distribution system.
CN202211727978.9A 2022-12-29 2022-12-29 Unified authentication method for users under multi-node condition of self-organizing network environment Pending CN116260625A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211727978.9A CN116260625A (en) 2022-12-29 2022-12-29 Unified authentication method for users under multi-node condition of self-organizing network environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211727978.9A CN116260625A (en) 2022-12-29 2022-12-29 Unified authentication method for users under multi-node condition of self-organizing network environment

Publications (1)

Publication Number Publication Date
CN116260625A true CN116260625A (en) 2023-06-13

Family

ID=86687152

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211727978.9A Pending CN116260625A (en) 2022-12-29 2022-12-29 Unified authentication method for users under multi-node condition of self-organizing network environment

Country Status (1)

Country Link
CN (1) CN116260625A (en)

Similar Documents

Publication Publication Date Title
US11128477B2 (en) Electronic certification system
US8024488B2 (en) Methods and apparatus to validate configuration of computerized devices
JP5860815B2 (en) System and method for enforcing computer policy
US8196186B2 (en) Security architecture for peer-to-peer storage system
RU2297037C2 (en) Method for controlling protected communication line in dynamic networks
KR101099192B1 (en) Method and system for secure communication
US20090158394A1 (en) Super peer based peer-to-peer network system and peer authentication method thereof
CN1905436B (en) Method for ensuring data exchange safety
US20050055552A1 (en) Assurance system and assurance method
US20130227286A1 (en) Dynamic Identity Verification and Authentication, Dynamic Distributed Key Infrastructures, Dynamic Distributed Key Systems and Method for Identity Management, Authentication Servers, Data Security and Preventing Man-in-the-Middle Attacks, Side Channel Attacks, Botnet Attacks, and Credit Card and Financial Transaction Fraud, Mitigating Biometric False Positives and False Negatives, and Controlling Life of Accessible Data in the Cloud
US11184336B2 (en) Public key pinning for private networks
US20110119494A1 (en) Method and apparatus for sharing licenses between secure removable media
EP1147637A1 (en) Seamless integration of application programs with security key infrastructure
CN101605137A (en) Safe distribution file system
JP5602165B2 (en) Method and apparatus for protecting network communications
CN108769029B (en) Authentication device, method and system for application system
CN109525565B (en) Defense method and system for short message interception attack
JP2001186122A (en) Authentication system and authentication method
CN104468074A (en) Method and equipment for authentication between applications
CN114826702A (en) Database access password encryption method and device and computer equipment
JP2024501326A (en) Access control methods, devices, network equipment, terminals and blockchain nodes
CN114567491A (en) Medical record sharing method and system based on zero trust principle and block chain technology
JP6533542B2 (en) Secret key replication system, terminal and secret key replication method
CN115174277B (en) Data communication and file exchange method based on block chain
WO2008065349A1 (en) Worldwide voting system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination